[21171] in bugtraq
Re: pam session
daemon@ATHENA.MIT.EDU (Jim Breton)
Sun Jun 24 12:48:03 2001
Date: Sat, 23 Jun 2001 18:49:31 +0000
From: Jim Breton <jamesb-bugtraq@alongtheway.com>
To: Christian Kraemer <ckraemer@ginko.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20010623184931455347.16104@alongtheway.com>
Mail-Followup-To: Christian Kraemer <ckraemer@ginko.de>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <01061903113100.00225@christian.localdomain>; from ckraemer@ginko.de on Tue, Jun 19, 2001 at 03:11:02AM +0200
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
> This is espacially anoying if you
> use pam_limits.so to set rlimits. Every user could
> cirrcumvent them easily by calling ssh in this way:
> ssh user@server /bin/sh
True. Fwiw you can work around this by putting ulimit calls in your
sshd invocation script. For example:
#!/bin/sh
ulimit -d <#>
ulimit -f <#>
ulimit -l <#>
ulimit -m <#>
ulimit -n <#>
ulimit -s <#>
[etc.]
Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:
DESCRIPTION
When the shell script /etc/initscript is present, init
will use it to execute the commands from inittab. This
script can be used to set things like ulimit and umask
default values for every process.
which is a good "safety net" for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..
I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.
P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2&b=200106
